Eric Lee / smarc-ti-linux-kernel

12 Apr, 2014

1 commit

  • 676d23690   net: Fix use after free by removing length arg from sk_data_ready callbacks. ... Browse Code »
    13

    Several spots in the kernel perform a sequence like:

    skb_queue_tail(&sk->s_receive_queue, skb);
    sk->sk_data_ready(sk, skb->len);

    But at the moment we place the SKB onto the socket receive queue it
    can be consumed and freed up. So this skb->len access is potentially
    to freed up memory.

    Furthermore, the skb->len can be modified by the consumer so it is
    possible that the value isn't accurate.

    And finally, no actual implementation of this callback actually uses
    the length argument. And since nobody actually cared about it's
    value, lots of call sites pass arbitrary values in such as '0' and
    even '1'.

    So just remove the length argument from the callback, that way there
    is no confusion whatsoever and all of these use-after-free cases get
    fixed as a side effect.

    Based upon a patch by Eric Dumazet and his suggestion to audit this
    issue tree-wide.

    Signed-off-by: David S. Miller

    David S. Miller
     

04 Mar, 2014

1 commit

  • 7727640cc   af_rxrpc: Keep rxrpc_call pointers in a hashtable ... Browse Code »

    Keep track of rxrpc_call structures in a hashtable so they can be
    found directly from the network parameters which define the call.

    This allows incoming packets to be routed directly to a call without walking
    through hierarchy of peer -> transport -> connection -> call and all the
    spinlocks that that entailed.

    Signed-off-by: Tim Smith
    Signed-off-by: David Howells

    Tim Smith
     

27 Feb, 2014

5 commits

  • e8388eb10   af_rxrpc: Request an ACK for every alternate DATA packet ... Browse Code »

    Set the RxRPC header flag to request an ACK packet for every odd-numbered DATA
    packet unless it's the last one (which implicitly requests an ACK anyway).
    This is similar to how librx appears to work.

    If we don't do this, we'll send out a full window of packets and then just sit
    there until the other side gets bored and sends an ACK to indicate that it's
    been idle for a while and has received no new packets.

    Requesting a lot of ACKs shouldn't be a problem as ACKs should be merged when
    possible.

    As AF_RXRPC currently works, it will schedule an ACK to be generated upon
    receipt of a DATA packet with the ACK-request packet set - and in the time
    taken to schedule this in a work queue, several other packets are likely to
    arrive and then all get ACK'd together.

    Signed-off-by: David Howells

    David Howells
     
  • 817913d8c   af_rxrpc: Expose more RxRPC parameters via sysctls ... Browse Code »

    Expose RxRPC parameters via sysctls to control the Rx window size, the Rx MTU
    maximum size and the number of packets that can be glued into a jumbo packet.

    More info added to Documentation/networking/rxrpc.txt.

    Signed-off-by: David Howells

    David Howells
     
  • 9823f39a1   af_rxrpc: Improve ACK production ... Browse Code »

    Improve ACK production by the following means:

    (1) Don't send an ACK_REQUESTED ack immediately even if the RXRPC_MORE_PACKETS
    flag isn't set on a data packet that has also has RXRPC_REQUEST_ACK set.

    MORE_PACKETS just means that the sender just emptied its Tx data buffer.
    More data will be forthcoming unless RXRPC_LAST_PACKET is also flagged.

    It is possible to see runs of DATA packets with MORE_PACKETS unset that
    aren't waiting for an ACK.

    It is therefore better to wait a small instant to see if we can combine an
    ACK for several packets.

    (2) Don't send an ACK_IDLE ack immediately unless we're responding to the
    terminal data packet of a call.

    Whilst sending an ACK_IDLE mid-call serves to let the other side know
    that we won't be asking it to resend certain Tx buffers and that it can
    discard them, spamming it with loads of acks just because we've
    temporarily run out of data just distracts it.

    (3) Put the ACK_IDLE ack generation timeout up to half a second rather than a
    single jiffy. Just because we haven't been given more data immediately
    doesn't mean that more isn't forthcoming. The other side may be busily
    finding the data to send to us.

    Signed-off-by: David Howells

    David Howells
     
  • 5873c0834   af_rxrpc: Add sysctls for configuring RxRPC parameters ... Browse Code »

    Add sysctls for configuring RxRPC protocol handling, specifically controls on
    delays before ack generation, the delay before resending a packet, the maximum
    lifetime of a call and the expiration times of calls, connections and
    transports that haven't been recently used.

    More info added in Documentation/networking/rxrpc.txt.

    Signed-off-by: David Howells

    David Howells
     
  • 6c9a2d320   af_rxrpc: Fix UDP MTU calculation from ICMP_FRAG_NEEDED ... Browse Code »

    AF_RXRPC sends UDP packets with the "Don't Fragment" bit set in an attempt to
    determine the maximum packet size between the local socket and the peer by
    invoking the generation of ICMP_FRAG_NEEDED packets.

    Once a packet is sent with the "Don't Fragment" bit set, it is then
    inconvenient to break it up as that requires recalculating all the rxrpc serial
    and sequence numbers and reencrypting all the fragments, so we switch off the
    "Don't Fragment" service temporarily and send the bounced packet again. Future
    packets then use the new MTU.

    That's all fine. The problem lies in rxrpc_UDP_error_report() where the code
    that deals with ICMP_FRAG_NEEDED packets lives. Packets of this type have a
    field (ee_info) to indicate the maximum packet size at the reporting node - but
    sometimes ee_info isn't filled in and is just left as 0 and the code must allow
    for this.

    When ee_info is 0, the code should take the MTU size we're currently using and
    reduce it for the next packet we want to send. However, it takes ee_info
    (which is known to be 0) and tries to reduce that instead.

    This was discovered by Coverity.

    Reported-by: Dave Jones
    Signed-off-by: David Howells

    David Howells
     

08 Feb, 2014

2 commits

  • b6f3a40cb   af_rxrpc: Prevent RxRPC peers from ABORT-storming one another ... Browse Code »

    When an ABORT is sent, aborting a connection, the sender quite reasonably
    forgets about the connection. If another frame is received, another ABORT
    will be sent. When the receiver gets it, it no longer applies to an extant
    connection, so an ABORT is sent, and so on...

    Prevent this by never sending a rejection for an ABORT packet.

    Signed-off-by: Tim Smith
    Signed-off-by: David Howells

    Tim Smith
     
  • 8961749e5   af_rxrpc: Remove incorrect checksum calculation from rxrpc_recvmsg() ... Browse Code »

    The UDP checksum was already verified in rxrpc_data_ready() - which calls
    skb_checksum_complete() - as the RxRPC packet header contains no checksum of
    its own. Subsequent calls to skb_copy_and_csum_datagram_iovec() are thus
    redundant and are, in any case, being passed only a subset of the UDP payload -
    so the checksum will always fail if that path is taken.

    So there is no need to check skb->ip_summed in rxrpc_recvmsg(), and no need for
    the csum_copy_error: exit path.

    Signed-off-by: Tim Smith
    Signed-off-by: David Howells

    Tim Smith
     

29 Jan, 2014

1 commit

26 Jan, 2014

3 commits

  • 1ea427359   af_rxrpc: Handle frames delivered from another VM ... Browse Code »

    On input, CHECKSUM_PARTIAL should be treated the same way as
    CHECKSUM_UNNECESSARY. See include/linux/skbuff.h

    Signed-off-by: Tim Smith
    Signed-off-by: David Howells

    Tim Smith
     
  • 24a9981ee   af_rxrpc: Avoid setting up double-free on checksum error ... Browse Code »

    skb_kill_datagram() does not dequeue the skb when MSG_PEEK is unset.
    This leaves a free'd skb on the queue, resulting a double-free later.

    Without this, the following oops can occur:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
    IP: [] skb_dequeue+0x47/0x70
    PGD 0
    Oops: 0002 [#1] SMP
    Modules linked in: af_rxrpc ...
    CPU: 0 PID: 1191 Comm: listen Not tainted 3.12.0+ #4
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    task: ffff8801183536b0 ti: ffff880035c92000 task.ti: ffff880035c92000
    RIP: 0010:[] skb_dequeue+0x47/0x70
    RSP: 0018:ffff880035c93db8 EFLAGS: 00010097
    RAX: 0000000000000246 RBX: ffff8800d2754b00 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8800d254c084
    RBP: ffff880035c93dd0 R08: ffff880035c93cf0 R09: ffff8800d968f270
    R10: 0000000000000000 R11: 0000000000000293 R12: ffff8800d254c070
    R13: ffff8800d254c084 R14: ffff8800cd861240 R15: ffff880119b39720
    FS: 00007f37a969d740(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000008 CR3: 00000000d4413000 CR4: 00000000000006f0
    Stack:
    ffff8800d254c000 ffff8800d254c070 ffff8800d254c2c0 ffff880035c93df8
    ffffffffa041a5b8 ffff8800cd844c80 ffffffffa04385a0 ffff8800cd844cb0
    ffff880035c93e18 ffffffff81546cef ffff8800d45fea00 0000000000000008
    Call Trace:
    [] rxrpc_release+0x128/0x2e0 [af_rxrpc]
    [] sock_release+0x1f/0x80
    [] sock_close+0x12/0x20
    [] __fput+0xe1/0x230
    [] ____fput+0xe/0x10
    [] task_work_run+0xbc/0xe0
    [] do_exit+0x2be/0xa10
    [] ? do_munmap+0x297/0x3b0
    [] do_group_exit+0x3f/0xa0
    [] SyS_exit_group+0x14/0x20
    [] system_call_fastpath+0x16/0x1b

    Signed-off-by: Tim Smith
    Signed-off-by: David Howells

    Tim Smith
     
  • 8f22ba61b   RxRPC: do not unlock unheld spinlock in rxrpc_connect_exclusive() ... Browse Code »

    If rx->conn is not NULL, rxrpc_connect_exclusive() does not
    acquire the transport's client lock, but it still releases it.

    The patch adds locking of the spinlock to this path.

    Found by Linux Driver Verification project (linuxtesting.org).

    Signed-off-by: Alexey Khoroshilov
    Signed-off-by: David Howells

    Alexey Khoroshilov
     

22 Jan, 2014

1 commit

  • 08d4d217d   rxrpc: out of bound read in debug code ... Browse Code »

    Smatch complains because we are using an untrusted index into the
    rxrpc_acks[] array. It's just a read and it's only in the debug code,
    but it's simple enough to add a check and fix it.

    Signed-off-by: Dan Carpenter
    Signed-off-by: David S. Miller

    Dan Carpenter
     

19 Jan, 2014

1 commit

  • 342dfc306   net: add build-time checks for msg->msg_name size ... Browse Code »

    This is a follow-up patch to f3d3342602f8bc ("net: rework recvmsg
    handler msg_name and msg_namelen logic").

    DECLARE_SOCKADDR validates that the structure we use for writing the
    name information to is not larger than the buffer which is reserved
    for msg->msg_name (which is 128 bytes). Also use DECLARE_SOCKADDR
    consistently in sendmsg code paths.

    Signed-off-by: Steffen Hurrle
    Suggested-by: Hannes Frederic Sowa
    Acked-by: Hannes Frederic Sowa
    Signed-off-by: David S. Miller

    Steffen Hurrle
     

21 Nov, 2013

1 commit

20 Oct, 2013

1 commit

  • c1b1203d6   net: misc: Remove extern from function prototypes ... Browse Code »

    There are a mix of function prototypes with and without extern
    in the kernel sources. Standardize on not using extern for
    function prototypes.

    Function prototypes don't need to be written with extern.
    extern is assumed by the compiler. Its use is as unnecessary as
    using auto to declare automatic/local variables in a block.

    Signed-off-by: Joe Perches
    Signed-off-by: David S. Miller

    Joe Perches
     

22 Feb, 2013

1 commit

  • 06991c28f   Merge tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core ... Browse Code »

    Pull driver core patches from Greg Kroah-Hartman:
    "Here is the big driver core merge for 3.9-rc1

    There are two major series here, both of which touch lots of drivers
    all over the kernel, and will cause you some merge conflicts:

    - add a new function called devm_ioremap_resource() to properly be
    able to check return values.

    - remove CONFIG_EXPERIMENTAL

    Other than those patches, there's not much here, some minor fixes and
    updates"

    Fix up trivial conflicts

    * tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (221 commits)
    base: memory: fix soft/hard_offline_page permissions
    drivercore: Fix ordering between deferred_probe and exiting initcalls
    backlight: fix class_find_device() arguments
    TTY: mark tty_get_device call with the proper const values
    driver-core: constify data for class_find_device()
    firmware: Ignore abort check when no user-helper is used
    firmware: Reduce ifdef CONFIG_FW_LOADER_USER_HELPER
    firmware: Make user-mode helper optional
    firmware: Refactoring for splitting user-mode helper code
    Driver core: treat unregistered bus_types as having no devices
    watchdog: Convert to devm_ioremap_resource()
    thermal: Convert to devm_ioremap_resource()
    spi: Convert to devm_ioremap_resource()
    power: Convert to devm_ioremap_resource()
    mtd: Convert to devm_ioremap_resource()
    mmc: Convert to devm_ioremap_resource()
    mfd: Convert to devm_ioremap_resource()
    media: Convert to devm_ioremap_resource()
    iommu: Convert to devm_ioremap_resource()
    drm: Convert to devm_ioremap_resource()
    ...

    Linus Torvalds
     

19 Feb, 2013

2 commits

  • ece31ffd5   net: proc: change proc_net_remove to remove_proc_entry ... Browse Code »

    proc_net_remove is only used to remove proc entries
    that under /proc/net,it's not a general function for
    removing proc entries of netns. if we want to remove
    some proc entries which under /proc/net/stat/, we still
    need to call remove_proc_entry.

    this patch use remove_proc_entry to replace proc_net_remove.
    we can remove proc_net_remove after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     
  • d4beaa66a   net: proc: change proc_net_fops_create to proc_create ... Browse Code »

    Right now, some modules such as bonding use proc_create
    to create proc entries under /proc/net/, and other modules
    such as ipv4 use proc_net_fops_create.

    It looks a little chaos.this patch changes all of
    proc_net_fops_create to proc_create. we can remove
    proc_net_fops_create after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     

12 Jan, 2013

1 commit

  • af2b08d31   net/rxrpc: remove depends on CONFIG_EXPERIMENTAL ... Browse Code »

    The CONFIG_EXPERIMENTAL config item has not carried much meaning for a
    while now and is almost always enabled by default. As agreed during the
    Linux kernel summit, remove it from any "depends on" lines in Kconfigs.

    CC: "David S. Miller"
    Signed-off-by: Kees Cook
    Acked-by: David S. Miller

    Kees Cook
     

10 Jan, 2013

1 commit

15 Oct, 2012

1 commit

  • d25282d1c   Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux ... Browse Code »

    Pull module signing support from Rusty Russell:
    "module signing is the highlight, but it's an all-over David Howells frenzy..."

    Hmm "Magrathea: Glacier signing key". Somebody has been reading too much HHGTTG.

    * 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (37 commits)
    X.509: Fix indefinite length element skip error handling
    X.509: Convert some printk calls to pr_devel
    asymmetric keys: fix printk format warning
    MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking
    MODSIGN: Make mrproper should remove generated files.
    MODSIGN: Use utf8 strings in signer's name in autogenerated X.509 certs
    MODSIGN: Use the same digest for the autogen key sig as for the module sig
    MODSIGN: Sign modules during the build process
    MODSIGN: Provide a script for generating a key ID from an X.509 cert
    MODSIGN: Implement module signature checking
    MODSIGN: Provide module signing public keys to the kernel
    MODSIGN: Automatically generate module signing keys if missing
    MODSIGN: Provide Kconfig options
    MODSIGN: Provide gitignore and make clean rules for extra files
    MODSIGN: Add FIPS policy
    module: signature checking hook
    X.509: Add a crypto key parser for binary (DER) X.509 certificates
    MPILIB: Provide a function to read raw data into an MPI
    X.509: Add an ASN.1 decoder
    X.509: Add simple ASN.1 grammar compiler
    ...

    Linus Torvalds
     

08 Oct, 2012

1 commit

  • cf7f601c0   KEYS: Add payload preparsing opportunity prior to key instantiate or update ... Browse Code »

    Give the key type the opportunity to preparse the payload prior to the
    instantiation and update routines being called. This is done with the
    provision of two new key type operations:

    int (*preparse)(struct key_preparsed_payload *prep);
    void (*free_preparse)(struct key_preparsed_payload *prep);

    If the first operation is present, then it is called before key creation (in
    the add/update case) or before the key semaphore is taken (in the update and
    instantiate cases). The second operation is called to clean up if the first
    was called.

    preparse() is given the opportunity to fill in the following structure:

    struct key_preparsed_payload {
    char *description;
    void *type_data[2];
    void *payload;
    const void *data;
    size_t datalen;
    size_t quotalen;
    };

    Before the preparser is called, the first three fields will have been cleared,
    the payload pointer and size will be stored in data and datalen and the default
    quota size from the key_type struct will be stored into quotalen.

    The preparser may parse the payload in any way it likes and may store data in
    the type_data[] and payload fields for use by the instantiate() and update()
    ops.

    The preparser may also propose a description for the key by attaching it as a
    string to the description field. This can be used by passing a NULL or ""
    description to the add_key() system call or the key_create_or_update()
    function. This cannot work with request_key() as that required the description
    to tell the upcall about the key to be created.

    This, for example permits keys that store PGP public keys to generate their own
    name from the user ID and public key fingerprint in the key.

    The instantiate() and update() operations are then modified to look like this:

    int (*instantiate)(struct key *key, struct key_preparsed_payload *prep);
    int (*update)(struct key *key, struct key_preparsed_payload *prep);

    and the new payload data is passed in *prep, whether or not it was preparsed.

    Signed-off-by: David Howells
    Signed-off-by: Rusty Russell

    David Howells
     

14 Sep, 2012

1 commit

11 Jul, 2012

2 commits

10 Jul, 2012

1 commit

  • cae296c42   net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable ... Browse Code »

    If list_for_each_entry, etc complete a traversal of the list, the iterator
    variable ends up pointing to an address at an offset from the list head,
    and not a meaningful structure. Thus this value should not be used after
    the end of the iterator. This seems to be a copy-paste bug from a previous
    debugging message, and so the meaningless value is just deleted.

    This problem was found using Coccinelle (http://coccinelle.lip6.fr/).

    Signed-off-by: Julia Lawall
    Signed-off-by: David S. Miller

    Julia Lawall
     

11 Jun, 2012

1 commit

  • 46517008e   ipv4: Kill ip_rt_frag_needed(). ... Browse Code »
    38

    There is zero point to this function.

    It's only real substance is to perform an extremely outdated BSD4.2
    ICMP check, which we can safely remove. If you really have a MTU
    limited link being routed by a BSD4.2 derived system, here's a nickel
    go buy yourself a real router.

    The other actions of ip_rt_frag_needed(), checking and conditionally
    updating the peer, are done by the per-protocol handlers of the ICMP
    event.

    TCP, UDP, et al. have a handler which will receive this event and
    transmit it back into the associated route via dst_ops->update_pmtu().

    This simplification is important, because it eliminates the one place
    where we do not have a proper route context in which to make an
    inetpeer lookup.

    Signed-off-by: David S. Miller

    David S. Miller
     

16 Apr, 2012

1 commit

15 Feb, 2012

1 commit

20 Dec, 2011

1 commit

  • 3db1cd5c0   net: fix assignment of 0/1 to bool variables. ... Browse Code »

    DaveM said:
    Please, this kind of stuff rots forever and not using bool properly
    drives me crazy.

    Joe Perches gave me the spatch script:

    @@
    bool b;
    @@
    -b = 0
    +b = false
    @@
    bool b;
    @@
    -b = 1
    +b = true

    I merely installed coccinelle, read the documentation and took credit.

    Signed-off-by: Rusty Russell
    Signed-off-by: David S. Miller

    Rusty Russell
     

22 Nov, 2011

1 commit

01 Nov, 2011

1 commit

20 May, 2011

5 commits

04 May, 2011

1 commit